diff --git a/modules/reference/pages/feature/openidConnectClient/examples.adoc b/modules/reference/pages/feature/openidConnectClient/examples.adoc index 54953cb4cf..88eea01d92 100644 --- a/modules/reference/pages/feature/openidConnectClient/examples.adoc +++ b/modules/reference/pages/feature/openidConnectClient/examples.adoc @@ -13,7 +13,7 @@ The following examples demonstrate configuration options for the OpenID Connect - <<#oauth,Accept an OAuth 2.0 bearer access token without redirecting to an OpenID Connect provider>> - <<#context,Modify the context root>> - <<#params,Pass request parameters to OpenID Connect>> - +- <<#access-token,Check the access token for user and group information>> [#minimal] === Minimal configuration for Open Liberty to act as an OpenID Connect client @@ -360,3 +360,19 @@ To provide extra authorization parameters to the OP, configure `authzParameter` ---- To configure parameters for the token endpoint, use the `tokenParameter` element. + +[#access-token] +=== Check the access token for user and group information + +If `userIdentifier` or `groupIdentifier` values are not found in the ID token, Open Liberty can also check in the access token and the `UserInfo` endpoint. + +Set the `tokensOrderToFetchCallerClaims` attribute to `AccessToken IDToken Userinfo`, as shown in the following example. + +[source,xml] +---- + +---- + +In this example, Open Liberty checks for `userIdentifier` and `groupIdentifier` values first in the access token, then the ID token, and lastly, calls the `UserInfo` endpoint. If the values are not found in any of those locations, an unauthorized response code is returned. + +If the `tokensOrderToFetchCallerClaims` attribute is not specified, the default value is `IDToken` and Open Liberty checks only the ID token for user and group information.